Thank you for the reply.

On Wed, Sep 02, 2015 at 11:47:26AM +0200, Daniel Borkmann wrote:

On 09/02/2015 02:04 AM, Ken-ichirou MATSUZAWA wrote:

quoted

Talking about skb_copy path, original skb's shared info is accessed
only in copy_skb_header, to get gso related field. As a result of

It's still not correct. The thing is you can neither call skb_copy() nor
skb_clone() on netlink mmaped skbs. For example, skb_copy_bits() would

I am sorry for the lack of explanation.
And I am afraid I misunderstand...

Updated pointers to its data area in a mmaped netlink skb is only
its tail. Head, data and end will not be updated. skb_copy() calls

    int skb_copy_bits(const struct sk_buff *skb, int offset, void *to, int len)

as its argument, "offset" is always 0 and "len" is skb->len. In
skb_copy_bits() both "start" and "copy" are skb->len, which means
"len - copy" is always 0 so that retuns 0 before accessing shared
info.

I don't know the situation is intended or not, it seems that
skb_copy() for a mmaped skb will not access its shared info.

After that, copy_skb_header() will set newly allocate skb's (wrong)
gso fields, I asked we should clear it or not.

special case. We need an own netlink_mmap_to_full_skb() handler for this,
that copies/transforms this into a "normal" skb. I'll have a look it this

If the above situation is an unintentional, we need it to avoid a
future confusion.

Thanks,